@gokiteam/goki-dev 0.2.0

package/cli/secrets/SecretInjector.js

@@ -0,0 +1,47 @@
+import { execa } from 'execa'
+import chalk from 'chalk'
+
+export class SecretInjector {
+  constructor (secretsManager) {
+    this.secretsManager = secretsManager
+  }
+
+  formatEnv ({ format = 'shell', keys } = {}) {
+    const envMap = this.secretsManager.getEnvMap()
+    const filtered = this._filterKeys(envMap, keys)
+    if (format === 'json') {
+      return JSON.stringify(filtered, null, 2)
+    }
+    return Object.entries(filtered)
+      .map(([key, value]) => `${key}=${value}`)
+      .join('\n')
+  }
+
+  async run (command, args = [], { verbose = false } = {}) {
+    const envMap = this.secretsManager.getEnvMap()
+    if (verbose) {
+      const keyList = Object.keys(envMap).join(', ')
+      console.log(chalk.green(`\u2713 ${Object.keys(envMap).length} secrets injected (${keyList})`))
+    }
+    const result = await execa(command, args, {
+      env: { ...process.env, ...envMap },
+      stdio: 'inherit',
+      reject: false
+    })
+    if (result.exitCode !== 0) {
+      process.exit(result.exitCode)
+    }
+  }
+
+  _filterKeys (envMap, keys) {
+    if (!keys) return envMap
+    const keyList = Array.isArray(keys) ? keys : keys.split(',').map(k => k.trim())
+    const filtered = {}
+    for (const key of keyList) {
+      if (key in envMap) {
+        filtered[key] = envMap[key]
+      }
+    }
+    return filtered
+  }
+}

package/cli/secrets/SecretsConfig.js

@@ -0,0 +1,141 @@
+import fs from 'fs'
+import path from 'path'
+import chalk from 'chalk'
+
+export class SecretsConfig {
+  constructor (secretsManager) {
+    this.secretsManager = secretsManager
+  }
+
+  async loadConfig (projectDir) {
+    const configPath = path.join(projectDir, '.dev-tools', 'config.js')
+    if (!fs.existsSync(configPath)) return null
+    try {
+      const mod = await import(configPath)
+      return mod.default?.secrets || null
+    } catch {
+      return null
+    }
+  }
+
+  async setup () {
+    const projectDir = this.secretsManager.projectDir
+    if (!projectDir) {
+      console.log(chalk.blue('  \u2139 no project detected \u2014 nothing to set up'))
+      return
+    }
+    const config = await this.loadConfig(projectDir)
+    if (!config) {
+      console.log(chalk.blue('  \u2139 no secrets defined in .dev-tools/config.js'))
+      return
+    }
+    const projectName = this.secretsManager.projectName
+    const entries = Object.entries(config)
+    console.log(chalk.blue(`  \u2139 project: ${projectName} (from .dev-tools/config.js)`))
+    console.log()
+    console.log(`  Checking ${entries.length} secrets...`)
+    const missing = []
+    for (const [key, def] of entries) {
+      const scope = def.scope || 'project'
+      const scopeLabel = scope === 'global' ? 'global' : `project`
+      const value = this.secretsManager.get(key)
+      if (value !== undefined) {
+        console.log(chalk.green(`  \u2713 ${key} (${scopeLabel}) \u2014 already set`))
+      } else if (def.default !== undefined) {
+        console.log(chalk.green(`  \u2713 ${key} (${scopeLabel}) \u2014 using default`))
+        await this.secretsManager.set(key, String(def.default), {
+          scope,
+          description: def.description
+        })
+      } else {
+        console.log(chalk.red(`  \u2717 ${key} (${scopeLabel}) \u2014 missing`))
+        missing.push({ key, scope, description: def.description })
+      }
+    }
+    if (missing.length > 0) {
+      console.log()
+      const inquirer = (await import('inquirer')).default
+      for (const { key, scope, description } of missing) {
+        const { value } = await inquirer.prompt([{
+          type: 'password',
+          name: 'value',
+          message: `${key}:`,
+          mask: '\u25CF'
+        }])
+        await this.secretsManager.set(key, value, { scope, description })
+        const scopeLabel = scope === 'global'
+          ? 'global'
+          : `project: ${projectName}`
+        console.log(chalk.green(`  \u2713 set ${key} (${scopeLabel})`))
+      }
+    }
+    console.log()
+    console.log(chalk.green(`  \u2713 all ${entries.length} secrets configured`))
+    // Scan for plaintext credentials and offer to fix
+    await this._offerDoctorFix()
+  }
+
+  async _offerDoctorFix () {
+    const { SecretsDoctor } = await import('./SecretsDoctor.js')
+    const projectDir = this.secretsManager.projectDir || process.cwd()
+    const doctor = new SecretsDoctor(projectDir)
+    const findings = await doctor.scan()
+    if (findings.length === 0) return
+    console.log()
+    const label = findings.length === 1 ? 'plaintext credential' : 'plaintext credentials'
+    console.log(`  ${chalk.yellow('\u26a0')} Found ${chalk.bold(findings.length)} ${label} in project files`)
+    const inquirer = (await import('inquirer')).default
+    const { fix } = await inquirer.prompt([{
+      type: 'confirm',
+      name: 'fix',
+      message: 'Fix plaintext credentials now?',
+      default: true
+    }])
+    if (!fix) {
+      console.log(chalk.dim('  \u2192 Run `goki-secrets doctor --fix` anytime'))
+      return
+    }
+    await doctor.interactiveFix(findings, this.secretsManager)
+  }
+
+  async check () {
+    const projectDir = this.secretsManager.projectDir
+    if (!projectDir) {
+      console.log(chalk.blue('  \u2139 no project detected \u2014 nothing to check'))
+      return true
+    }
+    const config = await this.loadConfig(projectDir)
+    if (!config) {
+      console.log(chalk.blue('  \u2139 no secrets defined in .dev-tools/config.js'))
+      return true
+    }
+    const projectName = this.secretsManager.projectName
+    const entries = Object.entries(config)
+    let missingCount = 0
+    for (const [key, def] of entries) {
+      const scope = def.scope || 'project'
+      const scopeLabel = scope === 'global'
+        ? 'global'
+        : `project: ${projectName}`
+      const value = this.secretsManager.get(key)
+      if (value !== undefined) {
+        console.log(chalk.green(`  \u2713 ${key} (${scopeLabel})`))
+      } else if (def.default !== undefined) {
+        console.log(chalk.green(`  \u2713 ${key} (${scopeLabel}) \u2014 default`))
+      } else if (def.required) {
+        console.log(chalk.red(`  \u2717 ${key} (${scopeLabel}) \u2014 missing`))
+        missingCount++
+      } else {
+        console.log(chalk.gray(`  - ${key} (${scopeLabel}) \u2014 not set (optional)`))
+      }
+    }
+    console.log()
+    if (missingCount > 0) {
+      const label = missingCount === 1 ? 'required secret' : 'required secrets'
+      console.log(chalk.red(`  \u2717 ${missingCount} ${label} missing. Run: goki-secrets setup`))
+      return false
+    }
+    console.log(chalk.green('  \u2713 all secrets configured'))
+    return true
+  }
+}

package/cli/secrets/SecretsDoctor.js

@@ -0,0 +1,384 @@
+import fs from 'fs'
+import path from 'path'
+import os from 'os'
+import chalk from 'chalk'
+
+const SENSITIVE_PATTERNS = /^(.*_)?(PASSWORD|SECRET|API_KEY|AUTH_TOKEN|PRIVATE_KEY|NPM_TOKEN|ACCESS_TOKEN|REFRESH_TOKEN|CLIENT_SECRET)$/i
+
+const ENV_FILES = ['.env', '.env.local', '.env.development', '.env.production', '.env.test']
+const CONFIG_FILES = ['config.development', 'config.production', 'config.test', 'config.staging']
+const COMPOSE_FILES = [
+  'docker-compose.yml',
+  'docker-compose.yaml',
+  'docker-compose.override.yml',
+  'docker-compose.services.yml'
+]
+
+function isPlaceholder (value) {
+  if (!value || value.trim() === '') return true
+  if (/^\$\{.+\}$/.test(value)) return true
+  if (/^<.+>$/.test(value)) return true
+  return false
+}
+
+function maskValue (value) {
+  if (!value) return '****'
+  if (value.length <= 4) return '****'
+  return value.substring(0, 4) + '****'
+}
+
+function resolveAbsPath (projectDir, displayPath) {
+  if (displayPath === '~/.npmrc') return path.join(os.homedir(), '.npmrc')
+  return path.join(projectDir, displayPath)
+}
+
+export class SecretsDoctor {
+  constructor (projectDir) {
+    this._projectDir = path.resolve(projectDir)
+  }
+
+  async scan () {
+    const findings = []
+    this._scanNpmrc(findings)
+    this._scanEnvFiles(findings)
+    this._scanConfigFiles(findings)
+    this._scanComposeFiles(findings)
+    return findings
+  }
+
+  report (findings) {
+    console.log()
+    console.log('  Scanning for plaintext credentials...')
+    console.log()
+    if (findings.length === 0) {
+      console.log(`  ${chalk.green('✓')} No plaintext credentials found`)
+      console.log()
+      return
+    }
+    for (const finding of findings) {
+      console.log(`  ${chalk.yellow('⚠')} ${chalk.white(`${finding.file}:${finding.line}`)} — ${finding.message}`)
+      console.log(`    ${chalk.dim('→')} ${chalk.cyan(finding.fix)}`)
+      console.log()
+    }
+    const label = findings.length === 1 ? 'plaintext credential' : 'plaintext credentials'
+    console.log(`  Found ${chalk.yellow(findings.length)} ${label}`)
+    console.log()
+  }
+
+  fixFinding (finding) {
+    const absPath = resolveAbsPath(this._projectDir, finding.file)
+    const content = fs.readFileSync(absPath, 'utf-8')
+    const lines = content.split('\n')
+    const lineIdx = finding.line - 1
+    if (lineIdx < 0 || lineIdx >= lines.length) return
+    const line = lines[lineIdx]
+    switch (finding.type) {
+      case 'npm_token':
+        lines[lineIdx] = line.replace(/_authToken=.+/, `_authToken=\${${finding.secretKey}}`)
+        break
+      case 'env_secret':
+        lines[lineIdx] = `# ${finding.secretKey}= # managed by goki-secrets`
+        break
+      case 'config_secret':
+        lines[lineIdx] = line.replace(
+          /([A-Z_][A-Z0-9_]*)[\s]*[=:][\s]*.+/,
+          `# $1= # managed by goki-secrets`
+        )
+        break
+      case 'compose_secret': {
+        const listMatch = line.match(/^(\s*-\s*)[A-Z_][A-Z0-9_]*=.+$/)
+        const mapMatch = line.match(/^(\s*)[A-Z_][A-Z0-9_]*\s*:\s*.+$/)
+        if (listMatch) {
+          lines[lineIdx] = `${listMatch[1]}${finding.secretKey}`
+        } else if (mapMatch) {
+          lines[lineIdx] = `${mapMatch[1]}- ${finding.secretKey}`
+        }
+        break
+      }
+    }
+    fs.writeFileSync(absPath, lines.join('\n'))
+  }
+
+  async interactiveFix (findings, secretsManager) {
+    const inquirer = (await import('inquirer')).default
+    let migratedKeys = 0
+    let fixedFiles = 0
+    let skippedKeys = 0
+    let skipAll = false
+    // Group findings by secretKey (preserving insertion order)
+    const byKey = new Map()
+    for (const f of findings) {
+      if (!byKey.has(f.secretKey)) byKey.set(f.secretKey, [])
+      byKey.get(f.secretKey).push(f)
+    }
+    for (const [secretKey, keyFindings] of byKey) {
+      if (skipAll) {
+        skippedKeys++
+        continue
+      }
+      console.log()
+      const scope = keyFindings[0].scope || 'global'
+      const scopeLabel = scope === 'global' ? 'global' : `project: ${secretsManager.projectName}`
+      if (keyFindings.length === 1) {
+        // Single finding — simple prompt
+        const f = keyFindings[0]
+        console.log(`  ${chalk.yellow('⚠')} ${chalk.cyan(secretKey)} — ${chalk.white(`${f.file}:${f.line}`)}`)
+        console.log(`    ${f.message}`)
+        console.log(`    Value: ${chalk.dim(maskValue(f.value))}`)
+        const { action } = await inquirer.prompt([{
+          type: 'list',
+          name: 'action',
+          message: `Migrate ${chalk.cyan(secretKey)} to keychain and fix ${f.file}?`,
+          choices: [
+            { name: 'Yes', value: 'yes' },
+            { name: 'Skip', value: 'skip' },
+            { name: 'Skip all remaining', value: 'skip_all' }
+          ]
+        }])
+        if (action === 'skip_all') {
+          skipAll = true
+          skippedKeys++
+          console.log(`  ${chalk.dim('⊘ skipped')}`)
+          continue
+        }
+        if (action === 'skip') {
+          skippedKeys++
+          console.log(`  ${chalk.dim('⊘ skipped')}`)
+          continue
+        }
+        await secretsManager.set(secretKey, f.value, { scope })
+        this.fixFinding(f)
+        console.log(`  ${chalk.green('✓')} saved ${chalk.cyan(secretKey)} (${scopeLabel}) — ${f.file}:${f.line} updated`)
+        migratedKeys++
+        fixedFiles++
+      } else {
+        // Multiple findings — show all locations, offer bulk fix
+        console.log(`  ${chalk.yellow('⚠')} ${chalk.cyan(secretKey)} — found in ${chalk.bold(keyFindings.length)} files:`)
+        for (let i = 0; i < keyFindings.length; i++) {
+          const f = keyFindings[i]
+          console.log(`    ${i + 1}. ${chalk.white(`${f.file}:${f.line}`)} — ${f.message}`)
+        }
+        console.log(`    Value: ${chalk.dim(maskValue(keyFindings[0].value))}`)
+        const { action } = await inquirer.prompt([{
+          type: 'list',
+          name: 'action',
+          message: `Fix ${chalk.cyan(secretKey)}?`,
+          choices: [
+            { name: `Fix all ${keyFindings.length} usages`, value: 'fix_all' },
+            { name: 'Choose per file', value: 'per_file' },
+            { name: 'Skip this key', value: 'skip' },
+            { name: 'Skip all remaining', value: 'skip_all' }
+          ]
+        }])
+        if (action === 'skip_all') {
+          skipAll = true
+          skippedKeys++
+          console.log(`  ${chalk.dim('⊘ skipped')}`)
+          continue
+        }
+        if (action === 'skip') {
+          skippedKeys++
+          console.log(`  ${chalk.dim('⊘ skipped')}`)
+          continue
+        }
+        if (action === 'fix_all') {
+          await secretsManager.set(secretKey, keyFindings[0].value, { scope })
+          console.log(`  ${chalk.green('✓')} saved ${chalk.cyan(secretKey)} (${scopeLabel})`)
+          for (const f of keyFindings) {
+            this.fixFinding(f)
+            console.log(`    ${chalk.green('✓')} ${f.file}:${f.line} updated`)
+            fixedFiles++
+          }
+          migratedKeys++
+          continue
+        }
+        // per_file — prompt for each file individually
+        let savedToKeychain = false
+        let anyFixed = false
+        for (const f of keyFindings) {
+          const { fileAction } = await inquirer.prompt([{
+            type: 'list',
+            name: 'fileAction',
+            message: `  Fix ${chalk.white(`${f.file}:${f.line}`)}?`,
+            choices: [
+              { name: 'Yes', value: 'yes' },
+              { name: 'Skip', value: 'skip' }
+            ]
+          }])
+          if (fileAction === 'skip') {
+            console.log(`    ${chalk.dim('⊘ skipped')}`)
+            continue
+          }
+          if (!savedToKeychain) {
+            await secretsManager.set(secretKey, f.value, { scope })
+            console.log(`  ${chalk.green('✓')} saved ${chalk.cyan(secretKey)} (${scopeLabel})`)
+            savedToKeychain = true
+          }
+          this.fixFinding(f)
+          console.log(`    ${chalk.green('✓')} ${f.file}:${f.line} updated`)
+          fixedFiles++
+          anyFixed = true
+        }
+        if (anyFixed) migratedKeys++
+        else skippedKeys++
+      }
+    }
+    console.log()
+    if (migratedKeys === 0 && skippedKeys === 0) {
+      console.log(`  ${chalk.green('✓')} Nothing to migrate`)
+    } else {
+      const fileLabel = fixedFiles === 1 ? 'file' : 'files'
+      console.log(`  ${chalk.green('✓')} migrated ${chalk.bold(migratedKeys)} secrets (${fixedFiles} ${fileLabel} fixed), skipped ${skippedKeys}`)
+    }
+    console.log()
+  }
+
+  _scanNpmrc (findings) {
+    const locations = [
+      path.join(this._projectDir, '.npmrc'),
+      path.join(os.homedir(), '.npmrc')
+    ]
+    for (const filePath of locations) {
+      if (!fs.existsSync(filePath)) continue
+      const lines = fs.readFileSync(filePath, 'utf-8').split('\n')
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i].trim()
+        const match = line.match(/_authToken=(.+)/)
+        if (!match) continue
+        const value = match[1].trim()
+        if (/^\$\{.+\}$/.test(value)) continue
+        const preview = value.substring(0, 8)
+        const isHomeNpmrc = filePath === path.join(os.homedir(), '.npmrc')
+        const displayPath = isHomeNpmrc
+          ? '~/.npmrc'
+          : path.relative(this._projectDir, filePath)
+        findings.push({
+          file: displayPath,
+          line: i + 1,
+          type: 'npm_token',
+          message: `contains auth token (${preview}...)`,
+          fix: 'goki-secrets set NPM_TOKEN --global',
+          value,
+          secretKey: 'NPM_TOKEN',
+          scope: 'global'
+        })
+      }
+    }
+  }
+
+  _scanEnvFiles (findings) {
+    for (const fileName of ENV_FILES) {
+      const filePath = path.join(this._projectDir, fileName)
+      if (!fs.existsSync(filePath)) continue
+      const lines = fs.readFileSync(filePath, 'utf-8').split('\n')
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i].trim()
+        if (!line || line.startsWith('#')) continue
+        const match = line.match(/^([A-Z_][A-Z0-9_]*)=(.*)$/)
+        if (!match) continue
+        const key = match[1]
+        const value = match[2].trim().replace(/^["']|["']$/g, '')
+        if (!SENSITIVE_PATTERNS.test(key)) continue
+        if (isPlaceholder(value)) continue
+        findings.push({
+          file: fileName,
+          line: i + 1,
+          type: 'env_secret',
+          message: `${key} contains plaintext value`,
+          fix: `goki-secrets set ${key}`,
+          value,
+          secretKey: key,
+          scope: 'project'
+        })
+      }
+    }
+  }
+
+  _scanConfigFiles (findings) {
+    for (const fileName of CONFIG_FILES) {
+      const filePath = path.join(this._projectDir, fileName)
+      if (!fs.existsSync(filePath)) continue
+      const lines = fs.readFileSync(filePath, 'utf-8').split('\n')
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i].trim()
+        if (!line || line.startsWith('#') || line.startsWith('//')) continue
+        const match = line.match(/([A-Z_][A-Z0-9_]*)[\s]*[=:][\s]*(.+)/)
+        if (!match) continue
+        const key = match[1]
+        const value = match[2].trim().replace(/[,'"]/g, '').trim()
+        if (!SENSITIVE_PATTERNS.test(key)) continue
+        if (isPlaceholder(value)) continue
+        findings.push({
+          file: fileName,
+          line: i + 1,
+          type: 'config_secret',
+          message: `${key} in plaintext`,
+          fix: `goki-secrets set ${key}`,
+          value,
+          secretKey: key,
+          scope: 'project'
+        })
+      }
+    }
+  }
+
+  _scanComposeFiles (findings) {
+    const composeGlobs = this._findComposeFiles()
+    for (const filePath of composeGlobs) {
+      if (!fs.existsSync(filePath)) continue
+      const lines = fs.readFileSync(filePath, 'utf-8').split('\n')
+      let inEnvironment = false
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i]
+        const trimmed = line.trim()
+        if (/^environment\s*:/.test(trimmed)) {
+          inEnvironment = true
+          continue
+        }
+        if (inEnvironment && trimmed && !trimmed.startsWith('-') && !trimmed.startsWith('#') && !trimmed.includes('=') && !trimmed.includes(':')) {
+          inEnvironment = false
+        }
+        if (inEnvironment && /^\S/.test(line) && !/^\s/.test(line)) {
+          inEnvironment = false
+        }
+        if (!inEnvironment) continue
+        const listMatch = trimmed.match(/^-\s*([A-Z_][A-Z0-9_]*)=(.+)$/)
+        const mapMatch = trimmed.match(/^([A-Z_][A-Z0-9_]*)\s*:\s*(.+)$/)
+        const kvMatch = listMatch || mapMatch
+        if (!kvMatch) continue
+        const key = kvMatch[1]
+        const value = kvMatch[2].trim().replace(/^["']|["']$/g, '')
+        if (!SENSITIVE_PATTERNS.test(key)) continue
+        if (isPlaceholder(value)) continue
+        findings.push({
+          file: path.relative(this._projectDir, filePath),
+          line: i + 1,
+          type: 'compose_secret',
+          message: `${key} hardcoded as "${value}"`,
+          fix: `goki-secrets set ${key} --global`,
+          value,
+          secretKey: key,
+          scope: 'global'
+        })
+      }
+    }
+  }
+
+  _findComposeFiles () {
+    const files = []
+    for (const name of COMPOSE_FILES) {
+      files.push(path.join(this._projectDir, name))
+    }
+    try {
+      const entries = fs.readdirSync(this._projectDir)
+      for (const entry of entries) {
+        if (/^docker-compose\..+\.(yml|yaml)$/.test(entry) && !COMPOSE_FILES.includes(entry)) {
+          files.push(path.join(this._projectDir, entry))
+        }
+      }
+    } catch {
+      // Directory not readable, skip
+    }
+    return files
+  }
+}